Search code examples
dependency-managementclojurescriptshadow-cljs

Is there any difference on how to declare a ClojureScript dependency on shadow-cljs.edn file?


I have been working on a Clojure/ClojureScript project and something intrigues me.

On the shadow-cljs.edn file, there is a declaration of the dependencies. As you might see below, some of them have "a full name" declaration, indicated as username/repository-name. An example is venantius/accountant.

Others are declared only as repository-name, such as [bidi "2.1.5"] which is actually published by juxt user (source).

I am afraid this could be problematic since multiple users could create repositories with the same name:

{:source-paths ["src" "dev" "test"]

 :dependencies [
                ;; for deploy w lein deps below need to be in project.cljs

                ;; third-party dependencies
                [venantius/accountant "0.2.5"]
                [bidi "2.1.5"]
                [cljs-hash "0.0.2"]
                [clova "0.46.0"]
                [com.andrewmcveigh/cljs-time "0.5.2"]
                [org.clojure/core.match "1.0.0"]
                [binaryage/dirac "RELEASE"]
                [com.pupeno/free-form "0.6.0"]
                [garden "1.3.10"]
                [hickory "0.7.1"]
                [metosin/malli "0.8.4"]
                [medley "1.4.0"]
                [binaryage/oops "0.7.0"]
                [djblue/portal "0.16.1"]
                [djblue/portal "0.18.0"]
                [proto-repl "0.3.1"]
                [reagent "1.1.0"]
                [re-frame "1.2.0"]
                [district0x/re-frame-window-fx "1.1.0"]
                [cljsjs/react-beautiful-dnd "12.2.0-2"]

I am not sure how the low-level of dependency installation goes in a Clojure/ClojureScript project.

Is it a bad practice to have only the brief name of dependency? Is an ambiguity problem feasible or even possible?


Solution

  • Until not too long ago it was allowed to publish dependencies to https://clojars.org without a group name. In those cases the group would become identical to the artifact id. So bidi is effectively bidi/bidi.

    Nowadays, new packages may only be published with a specific group name. However, old packages may continue using their older name.

    The names used to publish also do not need to match their github repo coordinates. These are separate systems. They often match but are not required to.

    To anwer your question: You should avoid using the same dependency multiple times. And you should use the official published name for each library. Some libraries are still updated using their old identifiers. Some moved to the newer longer names, while the old ones are still available but no longer receiving updates. Always consult the documentation of the specific libs to be sure which one you are supposed to use. They'll usually have some kind of info in their READMEs.

    Conflicts may happen if you get the "same" lib via different identifiers. These may be very difficult to identify, when you run into trouble. This is true for any dependency resolver your use (eg. project.clj, deps.edn, shadow-cljs.edn). Best practice is to keep your dependencies as clean as possible.